From b42682d1feb002747c21e0ee4e3d47fa85036223 Mon Sep 17 00:00:00 2001 From: Michael Steiner Date: Fri, 15 Mar 2024 09:52:40 -0700 Subject: [PATCH] Harden SGX-mode registration * Handle missing SGX verification status CONFIGURATION_AND_SW_HARDENING_NEEDED Signed-off-by: Michael Steiner --- eservice/pdo/eservice/pdo_enclave.py | 2 ++ ledgers/ccf/transaction_processor/pdo_tp.cpp | 6 ++++-- ledgers/ccf/transaction_processor/pdo_tp.h | 1 + pservice/lib/libpdo_enclave/secret_enclave.cpp | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/eservice/pdo/eservice/pdo_enclave.py b/eservice/pdo/eservice/pdo_enclave.py index 9228ca7a..5b707e97 100644 --- a/eservice/pdo/eservice/pdo_enclave.py +++ b/eservice/pdo/eservice/pdo_enclave.py @@ -309,6 +309,8 @@ def create_signup_info(originator_public_key_hash, nonce): logger.warning("Quote has GROUP_OUT_OF_DATE status (update your BIOS/microcode!!!) keep going") elif _ias.last_verification_error() == "SW_HARDENING_NEEDED": logger.warning("Quote has SW_HARDENING_NEEDED status (update your platform!!!) keep going") + elif _ias.last_verification_error() == "CONFIGURATION_AND_SW_HARDENING_NEEDED": + logger.warning("Quote has CONFIGURATION_AND_SW_HARDENING_NEEDED status (update your platform!!!) keep going") else: logger.error("invalid report fields") return None diff --git a/ledgers/ccf/transaction_processor/pdo_tp.cpp b/ledgers/ccf/transaction_processor/pdo_tp.cpp index 149cec10..3865b219 100644 --- a/ledgers/ccf/transaction_processor/pdo_tp.cpp +++ b/ledgers/ccf/transaction_processor/pdo_tp.cpp @@ -293,8 +293,10 @@ namespace ccfapp // Verify the verification report enclave quote status transform(verification_report.isvEnclaveQuoteStatus.begin(), verification_report.isvEnclaveQuoteStatus.end(), verification_report.isvEnclaveQuoteStatus.begin(), ::toupper); - if ((verification_report.isvEnclaveQuoteStatus != OK_QUOTE_STATUS) && (verification_report.isvEnclaveQuoteStatus != GROUP_OUT_OF_DATE_QUOTE_STATUS) && - (verification_report.isvEnclaveQuoteStatus != SW_HARDENING_NEEDED_QUOTE_STATUS)) { + if ((verification_report.isvEnclaveQuoteStatus != OK_QUOTE_STATUS) && + (verification_report.isvEnclaveQuoteStatus != GROUP_OUT_OF_DATE_QUOTE_STATUS) && + (verification_report.isvEnclaveQuoteStatus != SW_HARDENING_NEEDED_QUOTE_STATUS) && + (verification_report.isvEnclaveQuoteStatus != CONFIGURATION_AND_SW_HARDENING_NEEDED_QUOTE_STATUS)) { return ccf::make_error( HTTP_STATUS_BAD_REQUEST, ccf::errors::InvalidInput, "Enclave attestation report verification Failed. Invalid quote status"); } diff --git a/ledgers/ccf/transaction_processor/pdo_tp.h b/ledgers/ccf/transaction_processor/pdo_tp.h index e2810aa2..1975d7cd 100644 --- a/ledgers/ccf/transaction_processor/pdo_tp.h +++ b/ledgers/ccf/transaction_processor/pdo_tp.h @@ -61,6 +61,7 @@ namespace ccfapp const string OK_QUOTE_STATUS{"OK"}; const string GROUP_OUT_OF_DATE_QUOTE_STATUS{"GROUP_OUT_OF_DATE"}; const string SW_HARDENING_NEEDED_QUOTE_STATUS{"SW_HARDENING_NEEDED"}; + const string CONFIGURATION_AND_SW_HARDENING_NEEDED_QUOTE_STATUS{"CONFIGURATION_AND_SW_HARDENING_NEEDED"}; const int BASENAME_SIZE{32}; const int ORIGINATOR_KEY_HASH_SIZE{64}; diff --git a/pservice/lib/libpdo_enclave/secret_enclave.cpp b/pservice/lib/libpdo_enclave/secret_enclave.cpp index 38a48cb4..8d83938d 100644 --- a/pservice/lib/libpdo_enclave/secret_enclave.cpp +++ b/pservice/lib/libpdo_enclave/secret_enclave.cpp @@ -613,7 +613,7 @@ pdo_err_t VerifyEnclaveInfo(const std::string& enclaveInfo, int r; // verify quote (group-of-date is considered ok) r = verify_enclave_quote_status(verificationReport.c_str(), verificationReport.length(), - QSF_ACCEPT_GROUP_OUT_OF_DATE | QSF_ACCEPT_SW_HARDENING_NEEDED); + QSF_ACCEPT_GROUP_OUT_OF_DATE | QSF_ACCEPT_SW_HARDENING_NEEDED | QSF_ACCEPT_CONFIGURATION_AND_SW_HARDENING_NEEDED); pdo::error::ThrowIf( r!=VERIFY_SUCCESS, "Invalid Enclave Quote");